“Failure to prepare is preparing to fail.” Advanced cyber attackers know this as well as anyone. That’s why they devote an entire phase of any cyber attack to preparing for it. This phase is known as reconnaissance.
As prepared as advanced attackers are, companies should be just as prepared to deal with them.
Reconnaissance is the initial period of an attack when attackers get familiar with an organization, gathering information to discover its weaknesses and to identify where to focus for an initial entry point. Some of the questions an attacker asks during recon are: Who are the key people in the company? Who does the company do business with? What information can I find that’s publicly available about the company?
Attack preparation involves the detailed work of tediously delving into open source intelligence. The more information is uncovered, the more successful the attack will likely be. Attackers will scour social media sites to get familiar with employees. They’ll browse news articles and press releases. They’ll look for information about the IT and OT systems. And they don’t necessarily limit their scope to the company in question – vendors, suppliers, and maintenance contractors are also possible attack vectors.
Looking for key personnel is an important part of recon – as the saying goes, humans are the weakest link in security. That’s why LinkedIn proves to be a favorite tool for hackers. A target employee need not necessarily be anyone as prominent as the CEO. Attackers may focus on a fresh hire, for example, who would be unlikely to know all their fellow employees and therefore make a good target for phishing emails. Or an attractive target may be someone who works on a specific technology.
Reconnaissance is also the period when attackers look into the target network. They begin probing the network to find out which ports are open, which operating systems, services, and applications are being used, and where vulnerabilities are found.
On the attacker’s side, preparing for an attack is key to its success, and a motivated attacker may spend a significant amount of time doing so. The same is true for defenders. Being prepared and having a plan in place is key to staying afloat when an attack is detected.
Our story of a targeted attack in the manufacturing industry, The Hunt, contains plenty of examples of how attackers meticulously prepare and plan, and the care they take in going after their targets. Read it for the inside story of how a targeted attack is carried out, and how attackers leverage publicly available information to exploit a company’s people, processes, and technology.
After all, when you know what you’re up against, you can better prepare.