Page 12 - Cyber Warnings August 2017
P. 12
External reconnaissance
Your organization and its employees have public presences beyond your networks. The first
step any attacker is going to take against an organization is to collect as much data as possible,
looking for anything that can be used to pry open an entry point. Perform the same external
reconnaissance an attacker would on your own organization:
• Check WHO-IS info. Is there any important internal information being leaked, such as
an important technical contact who can be spear-phished or used as an assumed
persona to social engineer another employee?
• Collect public information on your employees. Using advanced Google searching or
other tools like theHarvester, see what information is publicly available about employees,
such as names, titles, email addresses, phone numbers, etc. This information can be
used as a target list for phishing attempts, as well as helping to construct wordlists for
password cracking attempts. Email addresses often betray the organization’s username
scheme, which can allow a list of usernames to be generated if employee names are
known, also useful in password cracking and reset attempts.
• Find domains / subdomains. Using advanced Google searching, exposed domains
and subdomains can be easily located. Sometimes there are forgotten subdomains
exposed, and some of these might be system management consoles or forgotten
servers used for software development or QA.
• Find exposed documents. Again, using advanced Google searching, proprietary
information can often be obtained through documents that have been openly shared by
employees on Dropbox, Box, OneDrive, Google Drive, etc.
• Examine your website for data leakage. Valuable organization / employee information
and even customer information can be unnecessarily exposed on a web site, providing
additional footholds for phishing, social engineering, or password attacks.
External reconnaissance can be an eye-opening exercise. This is where threat actors begin
their attack on your organization. It can instead be where you leave them empty-handed.
test your perimeter
An interesting thing I’ve observed about defensive mindsets: they typically check what should
be configured, not what is configured. Attackers don’t primarily concern themselves with what is
intended – in fact, they specifically focus on what isn’t intended. Test your perimeter for what is
actually there, not what you expect is there:
• Port scan your entire public IP range. Administrators commonly configure their
scanners for systems that are intended to be on the network and only public IP
addresses that are known to be in use. Port scan the entire public IP range owned by
your organization – you might be presented with some unexpected surprises.
Unexpected systems usually mean unsecured or vulnerable systems.
• Enumerate your DNS servers. Do your DNS servers allow unnecessary zone transfers,
or do they serve up entries which lead to other DNS servers which do? An improperly
12 Cyber Warnings E-Magazine – August 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
