Successful Network Attacks - Phase One: Reconnaissance

by Daelphinux

Network attacks are a common threat in the modern world.

Businesses, affiliations, community organizations, and even individuals are at risk to these kinds of dangers.  While the attacker may have any number of motivations, the attacks are often carried out in similar ways.  Successful attackers must be dedicated and committed to the attack they are attempting to carry out.  Moreover, they must be diligent in successfully completing each of the five phases of a network attack.

These phases are considered common knowledge in the security fields:

Phase 1: Reconnaissance - Gathering as to much useful information about the target as possible.

Phase 2: Scanning - Gathering useful information about the target's networks and any possible exploits.

Phase 3: Gaining Access - Getting into the network to be able to accomplish the attack's goal.

Phase 4: Maintaining Access - Ensuring access to the network persists long enough to accomplish the attack's goal.

Phase 5: Covering Tracks - Obfuscating the attacker's presence on the network such that they cannot be traced.

Each of these phases is critical to the success of an attack.  They form a kind of pyramid where each step builds upon the success of the previous one.

With poor reconnaissance, a network scan is unlikely to have the proper information necessary to ensure that accurate loopholes and useful exploits can be found.  With a bad network scan, it is unlikely that access will ever be gained.  With no gained access, there is no access to maintain, and if there is never any access, there are no tracks to be covered.

Additionally, each phase has various processes and skills necessary to achieving the end result.  A successful attacker will have to understand all of these processes and skills; conversely, a successful defender will have to understand them just as well.  Understanding the methodology of an attack will allow a defender to stay one step ahead of an attacker, but just like an attack will fail with a single misstep, so will a defense.  Security professionals must be vigilant to watch for signs of oncoming attacks, learn to recognize each phase, mount a defense against each phase, and contingently prepare for failing to prevent each phase.

For each phase, there will be an overview of what occurs during the phase, a view on how to recognize the phase, defend against it, and prepare for failing to defend.  Further, scenarios will be given that will allow a defender to know exactly what to expect is going on with the attacker's end.  Once a security professional understands how to recognize each phase, they will be able to apply that information in aggregate to recognize when an attack is likely to be coming; however, truly predicting that is a combination of luck and experience.

Phase One: Reconnaissance

In order to do anything successful in a given setting, knowledge of the tasks and obstacles that may prevent the task is crucial.  After determining an end-goal for the attack, such as gathering user data from a target, the first real step in the attack process is to gather useful information about the target.  "Useful" is a very important word here.  During the reconnaissance phase, a wealth of useless information will, inevitably, be gathered.  It is important to be able to filter out the junk information and retain the useful information, although it is unlikely one will be able to perform that filtering on the spot.

In this phase, the attacker will likely be gathering information from every a imaginable.  They will be running deep web searches, calling public phone lines, checking the WHOIS entries of any of the target's domains, launching social engineering attacks (things such as phishing, email scams, prodding users for information, and even making new friends), and going so far as to dive through Dumpsters for improperly disposed of documents.  This will leave the attacker with a giant wealth of information.  Most of it will be completely and utterly useless.  Within that overbearing mountain, however, a skilled attacker will be able to gather information that will be extraordinarily useful.  A couple of stray printer configuration pages, a list of email addresses, or some network shares written down on scraps is invaluable in this phase of an attack.

An attacker will be looking for anything that gives them clues regarding the target's:

This information will give the attacker what they need to determine if any known exploits exist for the target's systems and begin formulating a plan to look for unknown exploits.

It is very difficult to recognize the reconnaissance step of an attack.  Security footage or reports of Dumpster divers can be a good clue, but even those aren't necessarily indicative of an incoming network attack.  Those could be completely innocuous situations where a person is trying to reap usable hardware with no desire for any data, or even someone down on their luck just trying to score a meal.  The rest of the methods commonly used for reconnaissance are almost impossible to detect as being malicious, as they are not really any different than the day to day actions of a normal end-user.

However, while this is the most difficult phase to detect, it is the easiest to defend against.  The flow of useful information is paramount to the attacker's success in Phase One; the easiest solution is to cut off the flow of information.  Some pieces of useful data cannot be denied: WHOIS information, addresses of company buildings, any publicly available phone numbers, or even basic website information and email addresses will always be able to be accessed.  However, ensuring on-site security and destruction of purchase order information, manufacturer manuals, boxes for critical equipment, and anything bearing network information (server names, IP addresses, etc.) up to and including things as seemingly innocuous as printer configuration pages can make a world of difference in an attack.

Employees and other associates should be instructed to destroy certain documents once their purpose has been fulfilled.  In most cases, simply shredding a document with a cross-cutting shredder will suffice.  However, for particularly sensitive information, it may not be a bad idea to maintain burn storage for documents that will need to be burned, in most cases, by an off-site solution.  Although this includes a third-party in the security process, with proper vetting and research, a reputable third-party destruction solution is often a more cost-effective route.

Although these steps prove to be very easy to plan in theory, they are much harder to implement in practice.  Ensuring that information never leaves the facility places a requirement on end-users, service employees, and executives that may or may not be fulfilled.  Company policies do a lot to promote good practice, but human nature tends to work against that.  Mistakes are made, lazy practices exist, and sometimes it comes down to forces of habit.  If employees are used to simply throwing documents away instead of destroying them, it may be difficult to retrain them to perform a different task.

However implemented, the goal of a Phase One defense is to prevent the flow of useful information.  Even better is to implement a plan that prevents the flow of any information, but that is, alas, unrealistic.  It would not be cost effective in most environments to destroy or prevent any information that would otherwise leave the facility when comparing the benefits to the risk.  However, in ultra-high security situations, this solution has proven to be viable.

Should a well-formed defense fail against a Phase One attack, it is likely that a Phase Two attack would be incoming.  The best preparation for the failure of a defense against all but two of these phases directly correlates to successfully defending against the next phase, the exceptions being Phase Three and Phase Five, which will be addressed in their appropriate sections.
Return to $2600 Index