Rami Mizrahi is the Vice President of Engineering at Fidelis Cybersecurity. He is responsible for bringing world-class cloud security and eXtended Detection and Response (XDR) platforms to life. Rami is... Read More
When investigating cyber-attacks in an organization, the starting point for the investigation is typically the moment of infection, the “boom.” The investigation moves to the “right” by considering everything that happened after that initial “boom” and how to respond. The goal is to find how the attacker got in and what the attacker did while inside.
The process for advance attacks, however, includes a lot of research before the actual infection attempts. From the attackers’ view, the reconnaissance phase is usually the most important one. It is done by collecting preliminary information, constructing attack scenarios, using social engineering, studying the opponent’s network topology as much as possible and defining the attack goals.
In this blog we will discuss the left side of the attack timeline, what happens “left of boom” – before the infection. We will cover the recon phase of attackers and how we sometimes provide information to the attacker without knowing. We’ll discuss what a corporate digital footprint is, how to find out what our footprint is, and how to use it to our advantage.
An important part of the recon phase is the collection of as much data as possible on the target of the attack. One of the easier and more covert methods to collect this data is to gather publicly available intelligence. Every company has an online corporate footprint. This footprint includes all public data that is available on the company. Obviously, company public assets are part of it – the web server, social network profiles, the VPN server, etc.
But this footprint also includes any public data that can be found on the company – different types of documents, employee list with details, servers that are being used, lists of vendors or partners and much more. Searching for this data typically starts by using search engines – Google is the most common one, but not everything is indexed there – and moves on to social media and to other advance tools or engines – Shodan, historic DNS data and more. Since the Internet never forgets, these searches will often find human mistakes, misconfigured web servers, temporary files and in many cases keys and credentials.
A simple example – even though people do not intentionally upload their passwords or keys to the web, even a novice attacker will be able to find many of these online. We’ve previously reported how easy it is to find credentials that were mistakenly uploaded to sharing sites like GitHub. In the same way, sometimes innocently scanning a file on a web-based virus check engine will cause the file to be searchable and available to all. During their recon phase, advanced attackers will quietly and rigorously search for all data on your company before starting an attack campaign. They will deeply review your digital footprint, conduct other recon methods, like social engineering, and use whatever they can to find holes in your corporate security. Any data found on your users, your servers, your partners can be used against you during an attack.
But in addition to the security risk of your online fingerprint, there are also other risks, like business, legal or reputation. If your internal pricing catalog can be found online, your competitors will find it; if HR emails are found online, you may be facing legal or regulatory issues. In almost all cases, there will also be implications to your digital brand and company’s reputation.
Identifying Your Footprint – Know Your Public Terrain
When protecting an organization, one of the key steps is to know your terrain – understand what you are protecting. In the same way, to protect yourself from attacker recon, you should know your public facing terrain – identify your digital footprint. Just like you regularly scan your network for vulnerabilities, you should scan the web to find what other people can find about you and your enterprise. In the next section, we’ll cover a couple of tools that can be used to identify your footprint. These are tools that attackers use also for their recon. We will cover VirusTotal & Maltego, but there are many more. You can see some of them in this awesome list on GitHub.
It only takes one mistake like uploading the wrong data to the wrong place for damage to be done. Most online services and tools will accept requests to remove your private data from their databases, but this will probably be too little, too late. There is no big UNDO button for removing a document with passwords from the web. Simply deleting it doesn’t mean it will be removed from other sites and engines that cached it or from attackers that already downloaded it.
While identifying our footprint, we should aim to minimize future information that can put us at risk. For that we need to first be aware of what we upload to the web and educate our organization on these risks.
Identifying Your Footprint – VirusTotal
VirusTotal is a well-known online tool for malware scanning, using more than 70 anti-virus and security engines. It is commonly used in the security industry and can be easily used by individuals as a malware scanner, when downloading a file from the web or from an email. Security tools also use VirusTotal to validate and identify files. VirusTotal can check a file based on its hash or by uploading the file.
Now, how can we use the VirusTotal engine to gather data on our digital footprint?
Searching for a domain on VirusTotal reveals data on all subdomains and files that reference them. Here you can find files that were previously uploaded and include your domain name. If someone uploaded a document with your corporate email in it, it is part of your digital footprint and will show up in this search. VirusTotal also has nice visualization for its data, which helps in this recon phase.
You can also search the VirusTotal site with other search engines for file names that match your company name or other strings.
Example of searching for Google.com on VirusTotal
Identifying Your Footprint – Maltego
Another popular tool for gathering intelligence is Maltego.
“The focus of Maltego is analyzing real-world relationships between information that is publically accessible on the Internet. This includes footprinting Internet infrastructure as well as finding information about the people and organisation who own it.” (from the Maltego web site)
Matltego is a very comprehensive tool – here we will focus on how it can be used for collecting data on your digital footprint. Given a domain name, Maltego will collect and visualize data from the web on that domain. It has built-in functions for certain types of data, like reverse IPs, sub domain and emails. It also includes third party integrations, some using API keys that you supply, that collect data from additional sources and add that to the big picture. All data that is collected is nicely visualized and indexed for easy analyzing.
When searching for your company domain, Matlego can reveal IPs, Subdomains, related files, emails, social media accounts, already leaked credentials of your users, services, open ports, cloud instances, and much more.
Example of the Maltego data visualization
Turning the Footprint into an Advantage – Alter the Terrain
Now that we know our footprint, we can take that information and turn it into an advantage for us over the attackers. In a similar way that we use Deception to alter the terrain and catch attackers that are in the organization, we will use deception here. We will alter our public footprint to fool attackers and gain intelligence on their attack methods. We will plant breadcrumbs that blend into our public footprint and lead to public facing Decoys.
Decoys – The decoys in this scenario will be fake servers that are deployed on the public web or in your DMZ. They should resemble servers and assets that you have in your public footprint.
Breadcrumbs – The breadcrumbs will be pieces of information that lead to those Decoys. They can be documents, passwords & IPs that are placed in different places on the web. These should also be part of what is expected to be your digital footprint.
Despite the similarity, public facing deception is very different from internal enterprise deception, with regard to its benefits and challenges. Its findings should help you prepare yourself for an attack and not waste your time chasing internet noise. In order to get valuable intelligence on attackers that are looking for you, your deception needs to alter your existing terrain and not stand out.
We’ll cover more on this topic in our next blog.