Summary
Have you ever wondered how a hacker finds that vulnerable server to exploit or gets a list of viable email addresses and names for a spear phishing campaign, or even finds credentials to access internal business systems? Many people’s first thoughts are criminal marketplaces and forums like you see on the Dark Web or specialized hacker toolkits that allow them to gain a competitive advantage over the common person. While some of this is valid, a good chunk of the information hackers leverage when targeting an organization is not due to this specialized access or tools. In fact, anyone with an internet connection and a computer can do a thorough and in-depth reconnaissance of an organization while only needing minimal technical know-how. Over the course of this blog, we’ll identify ways hackers leverage everyday websites and tools to build a picture of a target organization they can use to gain initial access.
All of the Internet Scanners
-
- Several tools, such as Censys and Shodan, scan the entire public internet space to find internet-exposed devices and the ports and services they present to the world. This allows hackers to determine public-facing misconfigurations and shadow IT that belongs to a target organization. They can search for related TLS certificates, DNS resolutions, HTTP response body strings, etc., to pinpoint what an organization has exposed. Furthermore, these scanners can even indicate what vulnerabilities these assets have to assist with follow-on exploitation.
- The Defensive Measures
- Invest in a tool that continually scans your external attack surface. The only way to stop threat actors from finding your exposed assets is to find those assets first and protect them.
Social Media
-
- Social media is a treasure trove of information. A hacker will investigate the social media presence of both the organization itself (think a company's LinkedIn, Instagram, or Twitter page) as well as the social media presence of key individuals within that organization, such as the executive suite, software developers, or IT/security personnel. Specific things that hackers will look at include:
-
-
- Pictures of the workplace environment.
- Here, hackers can find images of badges that employees wear to gain access to the facility for replication purposes. They could also find images of the exterior of the building for planning a physical security breach or even pictures containing sensitive data in the background. In past red team engagements that I’ve been a part of, I’ve found all the above and more (including passwords written on a whiteboard in the background of a picture uploaded to LinkedIn).
-
-
- Indications that key personnel are out of office
-
-
-
- If a hacker can confirm that an important user is out of the office and on vacation (i.e., that user posts that they are out of town or uploads photos to a public social media page indicating that they are out of town), it gives that hacker more leverage for effective pretexting. For example, a hacker can claim they (pretending to be an executive) urgently need X, Y, or Z and can’t get to it because they are on vacation. This also provides a pretext for why the email or text comes from an unofficial source.
-
- Develop a review policy and procedure for anything posted to your corporate social media accounts. Look especially closely at images for any corporate badges/ID cards or information that may be revealed in the background.
-
- Encourage your employees to be aware of what they post to social media and how open their accounts are.
-
- Develop multi-person approval chains and persona verification procedures before executing sensitive business actions like wire transfers, account creation, etc. This way, if someone pretends to be a VIP, there are mechanisms in place to verify that identity or require others to approve before an action can be initiated.
Job Postings
-
- Job postings are a great way to determine what sort of tech an organization has. Are you hiring a system administrator or software dev? If so, you probably listed the types of technology that prospective candidates need to know to be successful. If you happened to be a bit too verbose or granular in this job description and included things like software versions or specific configurations, an attacker now knows what sort of tools and tradecraft they need to bring to bear when targeting your organization. They can take this one step further and apply for said job, and if they secure an interview, they can glean much more granular information about the tech stack, assuming the interviewer isn’t careful about the details they reveal.
-
- Don’t get overly granular with job descriptions. If you need someone comfortable administrating a Windows enterprise environment, leave it at that. Don’t include OS version numbers or specific configuration requirements.
-
- During the interview process, don’t discuss specific configurations of your network environment or code base. You can determine if a person is right for the job without having them understand the nitty-gritty technical details of how you do business.
Google It
-
- Google is an amazing resource for developing a good social engineering pretext. A good Google search can reveal what the company is working on, who they are working with, and what may interest its employees. All these data points can be used to create a false persona that will fool even the most suspicious of employees. For example, say your company lists key clients they’ve earned over the years. A bit of research to determine VIPs from those key clients gives a hacker a great starting point to create a convincing social engineering persona.
-
- User awareness training is especially important here. Based on business needs a lot of this information can’t be hidden (after all you want to brag about the awesome clients your business has and the cool things it’s working on). Your employees need to be vigilant and wary of unusual emails, calls, or texts.
-
- To double down on Social Media defensive measures, Develop multi-person approval chains and persona verification procedures before executing sensitive business actions like wire transfers, account creation, etc. This way, if someone pretends to be a VIP, there are mechanisms in place to verify that identity or require others to approve before an action can be initiated.
Social Engineering
-
- Too many people are of the opinion that humans are inherently selfish creatures. Those people have never conducted a social engineering attack. If they had, they would realize that people want to be helpful. This is a great instinct to have for the betterment of society, however hackers are glad to take advantage of it. I have witnessed social engineers getting corporate passwords out of unsuspecting employees or even tricking them into installing remote access tools by pretending to be help desk technicians. These employees' contact information was typically found using either social media or sales enablement tools such as ZoomInfo.
-
- See the defensive measures under “Google It.” User security awareness training and developing appropriate, sensitive action approval procedures.
Conclusion
As you can see, threat actors have many resources to use to case an organization, and the above list is only the tip of the iceberg! Following the suggested Defense Measures is a great way to start shoring up your organization's public presence. If you want to hear more about attacker techniques or understand how RADICL can better help your organization’s defenses, please reach out!