If you work in an organization you need to interact with people – and you need those people to find you online and perhaps offline. Staying under the radar is thus not likely to be a good defense against cyber criminals performing reconnaissance and open source intelligence gathering.
Hackers, whether they are cyber criminals trying to trick you into clicking a ransomware download link, or whether they are nation state intelligence operatives planning to gain access to your infrastructure, can improve their odds massively through proper target reconnaissance prior to any form of offensive engagement. Typical information that would be useful to any attacker would include:
- List of employees with names, positions, e-mail addresses, phone numbers, social media accounts
- Interests of those people – both professional and personal
- Organization charts
- The network of all employees, both personal and business related (social media, organizations, real-life)
- Key personnel with human vulnerabilities that can more easily be exploited, such as substance abuse habits, gambling, financial problems or infidelity
- Key suppliers and customers, and who the typical points of contact would be there
- Servers and services reachable from the internet
- SaaS and cloud services used in the business
- Applications used for business critical communications
- Security practices and policies
- Incident response capabilities
A lot of this information is readily available online. Key sources of this type of information would be the company website, annual reports, social media, search engines, job postings, press releases and media coverage, court documents and marketing material. On the more technical end of the spectrum there is DNS, whois, certificate transparency, and tracking of already identified employees in technical forums, like https://stackoverflow.com.
Performing a footprint study can be quite extensive, but just poking a little bit in this area can be revealing of exposed vulnerabilities. Hence, there are 3 easy things every organization can do to see if the attack surface can be shrinked a little bit before the bad guys can find too much information to play with:
- Ask yourself: what can people find out there in 30 minutes of searching the internet?
- What can that information be used for? Take the mindset of the evil wrongdoer here – look for vulnerabilities and how they could be exploited.
- Finally – ask yourself what you can do to reduce the risk without harming your business opportunities. Hiding vulnerabilities can work for a while, but the real risk reduction is only achieved when vulnerabilities are fixed so that you don’t really have to hide.
30-minute footprint exercise
Here’s a quick run-through you can do in 30 minutes or less to see if your footprint is cause for worry:
- Identify employees by doing a site search on linkedin (site:linkedin.com inurl:in <companyname>)
- Browse the web page, annual report and marketing materials. Take note of any applications, SaaS products, suppliers, key customers and key personnel mentioned. Make notes!
- Research the key personnel on social media and search engines. Map close relatives, family, friends, hobbies and employment history.
- Do a site search for your own domain to see if something interesting pops up. Filtering on interesting file types can reveal good targeting intel, such as xls/doc files, txt files.
- Search your domain on dnsdumpster.com and crt.sh to identify subdomains and interesting services.
- Search the ip addresses and key name phrases on shodan.io to find exposed services
If you can create a basic map of who’s who and what technologies your organization is using based on this, you are not alone. This is normal – but if you based on this can find potential vulnerabilities (outdated tech, sketchy interests or friends with issues) the risk of exploitation is heightened – both from a technical and social engineering point of view.
What can the footprinting lead to?
Let’s start with the people side: phishing – or the more targeted variant, spear-phishing. Let’s say your procurement manager can be identified, and you have found that he is friends with the VP of sales of a key supplier on Facebook, and that they follow each other on Instagram, where they have also posted photos from a fishing trip they have done together. The procurement manager has also posted repeatedly on reddit on his credit card debt and how he is frustrated that it is so hard to make ends meet in spite of a solid compensation package from the job.
Your company is perhaps very security conscious, giving regular training, putting two-factor authentication on e-mail and so on – but that the Supplier Inc. company with the fishing VP of sales is more sloppy. This company runs outdated Exchange servers, has a webpage built with PHP 5.6 (insecure and old). Hacking this person’s e-mail is probably easy enough, or perhaps it is enough to buy a domain name similar to the supplier’s name and use that for sending the phishing email? What if the procurement manager gets an invitation from the VP to go fishing together again, and adding some extra tempting bait? Adding a link to the suggested rented cabin will make it very tempting to click for the procurement guy being phished with fishing. The opportunities are many – credential theft, malware installation, honey trapping – and so on. Such an event would be hard to detect for most people and shows that the digital footprint extends throughout the supply chain.
Of course – the footprint could tell you more. About web application vulnerabilities for example – making it possible to combine phishing emails with more technical exploitation. The results could easily be devastating.
What can you do about it?
Hiding is a very poor form of defense. If you have identified vulnerabilities – or potential issues that can become vulnerabilities – the right thing to do is to manage that risk by mitigation.
Killing vulnerabilities is better than hiding. Making it harder to exploit vulnerabilities is better than hiding. Making detection reliable and response a planned process rather than an improvised grasp for straws is better than hiding. When you’ve done all that you can think of what you want to hide – but most likely it will be found by someone sooner rather than later.Cybehave Security Philosophy
If we go back to the phishing trip story – how could the organization have worked to lower the risk here? Here are some suggestions:
- Focus on leadership for people. Make sure managers know their teams and create a culture of trust. Could the company have helped the manager with his credit card problems? Not by giving him more money, but perhaps offering financial advisory services as a company benefit, e.g. through an agreement with a bank?
- Does the company have a clear stance on corruption? Would it be appropriate for the money strapped procurement manager to accept a nice outing all paid for by the supplier? A company that has a clear policy on anti-bribery would not allow such a thing to happen or at least require it to be reported to HR, which in itself is reducing the chance of someone going through with it (he may still click the link out of curiosity).
- Is there security awareness training in place? Is the employee aware that he may be a target and that evil people can use his personal online footprint to increase the likelihood that he will click a malicious link? Does he know how to check if the link is safe or not? Is there technology in place to help sort out bad domains?
- Does the company assess the security of its vendors? An important vendor with a poor security standing is a huge vulnerability waiting to be exploited. Vendor security assessment should be as natural a part of the vendor selection process as checks on financial solidity. Such assessments help drive security improvements in the entire value chain and is such of great societal value.
Keeping thing secret is sometimes the right thing to do. If information has no legitimate business purpose in the public domain, keep it internal. Publish a press release on that new great business deal – but keep details on the integration and use out of the news unless it will damage business. Especially – if it seems like something scammers can abuse, be careful with what you share.
Build a stronger security culture
Cybehave’s Phishing simulations and innovative awareness training is cloud software that can help you build a stronger security culture and motivate the organization to follow best security practices.
If you want to read more about our phishing simulator and e-learning system, please visit https://cybehave.no/services/phishingbot-e-learning/