Reconnaissance Phase of the Cyber Kill Chain
“Reconnaissance” is the first phase of the 7-step Cyber Kill Chain (CKC) model, which maps sophisticated targeted attacks used by cybercriminals such as Advanced Persistent Threat (APT) actors. In the Reconnaissance phase, an attacker uses different techniques to gather as much information as possible about a target — both physical and human vulnerabilities that can be exploited.
Recently, established cybercriminals such as FIN1, an established financial criminal group, are applying the Cyber Kill Chain model. These more sophisticated criminals are shifting their previous cyber attacks to the commission of ransomware crimes.
In a ransomware scenario, the attack starts an infection chain which creates multiple backdoors into compromised systems. Identifying vulnerabilities through reconnaissance allows cyber criminals to better choose their enterprise victims. The aim is to create a “cyber image” of an organization (e.g.: its structure, infrastructure, key partners, brands, subsidiaries, geographical footprint, and employees).
An oft-repeated motto in cybersecurity is that people are the weakest link in the security chain. Attackers know this. Businesses can have the most comprehensive security system; however if there is a human mistake, their security may crack and crumble.
Three of the most common human errors that can leave companies vulnerable to a ransomware attack include:
- Misconfiguration of servers
- Leaving sensitive data exposed on software such as Elasticsearch or MongoDB
- Failing to stay current in patch management
Each of these errors compromise the integrity of your cyber attack surface. These vulnerabilities may result in a data leak of your critical data and/or an entry point for a ransomware attack.
One of the most common category of sensitive data exposed by a breach is Personally Identifiable Information (PII) and credentials, which includes:
- Addresses and email addresses
- Credit information
- Passports, driver’s licenses
- And so much more…
Criminals use this information for a variety of nefarious purposes including employee account takeover, which is yet another of ransomware gangs tactics to initiate an attack. And, it can begin with a cybercriminal detecting a data leak executing the reconnaissance phase of their Cyber Kill Chain model.
Seemingly harmless information such as a professional email address, can lead to a devastating impact in terms of Human Reconnaissance. A common professional email addresses structure is email@example.com. Once the criminal has the employee’s name, uncovering Linkedin, Viadeo, or other professional networking profiles is nearly effortless.
Online profiles provide additional information such as role, position, ongoing projects, past experiences, profile picture, personal contact information et al. All of this data is compiled to establish a very detailed personal profile about an individual. All of which can be used to craft successful phishing, spear phishing, ransomware campaigns by cyber criminals.
Another treasure trove of information can be sourced through social media accounts linked to professional pages. An example of how a hacker’s reconnaissance can exploit this link could be as simple as finding sensitive code and credentials in a professional Github repository. Unfortunately, the general purpose of the code is a bit cryptic.
Then, the hacker digs a little further to find the owner of the repository included their LinkedIn profile in their Github profile page. This just made it easier for attackers to understand the purpose of the code they just found by accessing the social media profile and discovering the owner’s profession, company, title, professional groups.
Enterprises can limit the effectiveness of Human Reconnaissance by taking proactive measures. One such measure is providing comprehensive employee awareness programs. Explaining how social media platforms and cross-referencing can be used against the employee and their organization can be extremely effective.
How CybelAngel can foil criminal reconnaissance
Data is leaked negligently on multiple platforms, in multiple countries, in multiple languages. CybelAngel continuously scans connected devices, cloud storage, databases, and other sources in 231 unique country codes (country codes sometimes split by region).
CybelAngel not only detects and resolves data leaks. It addresses vulnerabilities that a ransomware reconnaissance might discover. Resolve the data leak. Avoid a data breach. And, slam the door on a ransomware attack.
Do you know the scope of your organization’s risk for data leaks? CybelAngel will provide you a dashboard that indicates where your company’s data is leaking. It also shows how you rank compared to other organizations in your industry—without any obligation.
If you suspect a data leak, Contact Us. Because data leaks are inevitable, but damage is optional.