Have you often wondered why your organization has been the target of a hacking attack? Most of non-automated campaigns are often carefully planned out by the attacking individuals or groups. But how does the malicious criminal cyber intelligence really work? Continue reading to learn about some of the novel techniques that are used by the hackers.
Every Hack Begins With Intelligence Gathering
Hackers don’t randomly choose their targets. In the last few decades large-scale attack campaigns use automated attacks in conjunction with exploit kits to carry out coordinated intrusion attacks against thousands of computer hosts per second. However the most efficient way to gain access to a system is to use the traditional way of intruding by researching their targets, uncovering their weakness and exploiting the issues.
The reason why social engineering tactics, also known as phishing attacks, are so successful in most cases is because the criminals have been able to obtain valuable information that is considered legitimate by the victims. Famous perpetrators such as Kevin Mitnick prove that intelligence gathering is as much important as the hacking attempt itself.
If the attacks are made against individuals then the most obvious place to look is their social media account. A lot of people disregard the fact that they sometimes post a lot of data that can easily be accessed and analyzed by attackers. Pattern recognition can be used to make a guess with a high degree of probability about their daily life. Password security is often neglected and as such accounts can easily be hijacked. And when a hacker has obtained in-depth information about the target they can continue to the next step – overtaking their machines as well.
Companies and organizations are more complex. They are usually much harder to penetrate as most businesses have adopted security practices that effectively defend against intelligence gathering.
Novel Cyber Intelligence Gathering Techniques
There are a lot of tools that are used for automated and easy intelligence gathering on potential targets. An example application allows hackers to conduct detailed analyses about different hosts using various techniques. Here are some features that are bundled with some of the tools used by both attackers and information security experts:
-
WHOIS Lookups – They use the query and response protocol that reveals information about Internet resources such as domain names, IP address blocks or autonomous web systems.
-
Retrieval of Analytics Information – Hackers can use publicly available network services such as Netcraft to research the running operating system, web server version, uptime and other important information about remote servers.
-
Subdomains Identification – Search engines and web pages analysis can reveal the full tree of the specified remote server which may reveal unsecured backend services or pages that are not intended to be accessed by the ordinary users of the host.
-
E-Mail Address Search – Hackers can use various search engines and queries to reveal information about sent or received messages that are issued by the target’s mail servers.
-
DNS Analysis – This technique uses MX and NS DNS records query.
-
Multiple Data Sources Information Extraction – The tools employ reconnaissance information gathered from various services that include Ablock lists (to see if the host matches any ad servers), AlienVault’s IP reputation database, various blacklists, username credentials checks, PGP public keys storage and etc.
In addition to everything mentioned above there is another very dangerous source of information – multimedia data. Practically every image file contains a rich set of metadata which can be harvested for useful information including geolocation. This technique has provided for numerous crimes against ordinary users who have posted various images of themselves while on tour on popular social media services. The hackers have analyzed their posting and traffic pattern and have used the fact that they are away to physically intrude into their homes or perform account credentials attacks.
Other intelligence methods that are popular among hackers include traffic sniffing. This is an effective strategy that uses rogue Wi-Fi honeypots or other wireless networks to sniff the carried communications. The packet capture can then be analyzed for any credentials or sensitive information using filters and various freeware software.
Current Trends in Intelligence Gathering
The criminal developers currently focus on exploiting the popular social media channels as they allow them to access large amounts of data that is often interconnected with other web services. The primary aim of these services is to build a rich profile of the user and enable him to interact with other users and engage in group discussions and other types of interaction. The fact that the majority of these actions are executed through mobile devices and are handled in real time gives attacker the tactical advantages of using their tools in real time to analyze the potential targets. These tools allow the hackers to construct and update local copies of media content spanning years.
We have already seen some utilities that allow the users to be tracked using their tweets and Instagram posts by using Geolocation data extracted from the services. The extracted datasets can then be plotted to Google Maps and the hackers can use world zones and tags to construct accurate timelines of the person’s activity.
Various hacking attacks can be used to help gather more information. This is particularly true when various spoofing attacks are used, hackers frequently use them to impersonate known devices on the network.
Intelligence Gathering Cannot Be Effectively Countered
The most dangerous fact about network and information reconnaissance is that it cannot be effectively countered. While there are several security measures that can be introduced to the organization and their internal network and online resources and services, the hackers are always one step ahead in the challenge. Intelligence gathering usually uses a mixed approach – it targets both machines (servers and other systems) and their users (operators or administrators). As such the required defensive measures need to be both proactive, up-to-date and implemented properly.
A number of security audits, reports and independent research has shown that social engineering remains one of the top causes of some of the high-profile cyber incidents when it comes to non-automated attacks. In many cases the end goal of the criminals is to intrude into the target systems and introduce dangerous malware or sabotage the network completely.