What ingredients make a successful cyber-attack? Part 1: Reconnaissance
The first in a series on breaking down complex cyber-attacks into their basic elements, through examples
You might have heard of recent cyber-attacks that are getting increasingly sophisticated. However, just like any other complex topic, cyber-attacks can be understood from first principles, by anyone who is motivated.
This series aims to break down cyber-attacks into their basic components, for anyone who understands English, is able to learn through reading, and can connect and apply concepts to new scenarios. As a foundation, let’s start off with the famous Lockheed Martin Cyber Kill Chain framework, a high-level picture of cyber-attacks.
The Cyber Kill Chain breaks down cyber-attacks into 7 basic steps: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Action on Objectives.
In creating this graphic, I took inspiration from Dr. Charles Harry’s Coursera course “Cybersecurity for Everyone,” which is a great introduction to cybersecurity. As the name suggests, reconnaissance is all about scoping the target and figuring out what vulnerabilities to exploit that achieve the attackers’ desired goals. There are 3 broad categories of reconnaissance.
These are: technical, social, and organizational. However recent attacks illustrate a fourth category, based on complex systems approaches. I’ll illustrate these 4 methods in the context of recent attacks.
One of the features of connecting to the Internet, is that every computer receives an IP address, like a street address. There are certain protocols for receiving and sending information over the Internet. The TCP protocol involves establishing a connection between client and server, before information is sent.
On top of the TCP protocol are specific “ports”, depending on the type of information that is being sent across and the type of server. For example, TCP port 3306 is typically reserved for MySQL. Thus in order to send and receive data to everyone across the Internet, you inadvertently expose your IP address, and information about services that are being run.
There are multiple ways to get information about open ports. Nmap is an open-source network scanner to discover hosts and services on a computer network by sending packets of data to IP addresses over the Internet and analyzing the response. Shodan is is a global scale version of Nmap, and calls itself the “the world’s first search engine for Internet-connected devices.”
The range of exposed devices one can see on Shodan is quite scary. Some have even shown that this information can be used to find vulnerable smart cameras with default passwords and view their real-time feeds.
Hackers use technical reconnaissance methods to identify vulnerable computers, and cybersecurity experts use the same information to identify vulnerabilities that need to be fixed. This is what happened in the case of the WannaCry ransomware.
Cyber criminals took advantage of a weakness in Microsoft Windows, even though Windows issued an update that took care of this weakness two months prior to the attack. They scanned the Internet for open ports TCP 445 ports, associated with Windows directory services. Unfortunately, many individuals and organizations did not update their systems and were left exposed to the attack. The hackers threatened to permanently delete files of victims unless their demand for a ransom of 300$ worth of bitcoin were met.
More recently, in the Exchange hacks (attributed to China), the hackers automatically scanned basically the entire Internet for vulnerable Microsoft Exchange servers and compromised them before they could be patched.
In the aftermath of the attack, Shodan provided API access to identify vulnerable servers so that hopefully they could be fixed. You can see the results below, showing more than 13k+ vulnerable servers around the world, still not fixed.
In March 2016, a cyber intrusion occurred, that could have sealed the fate of the 2016 U.S. elections. The chair of Hillary Clinton’s campaign John Podesta unwittingly handed over his personal Gmail account details to Russian hackers.
Why? Well because he received an email that looked like a Google security alert, but in fact was a fake login. In an extremely unlucky turn of events, Podesta sent the email over to the IT department as he suspected it of being fake. An IT employee replied back saying the email was “legitimate,” when he actually meant “illegitimate.”
This could have been a typo that lost an election
Or at the very least — an important moment in the 2016 election. Such attacks are called social engineering attacks — the manipulation of people that results in them divulging confidential information.
Not all employees in a company have the same access to information. In the same way, not all devices on a computer network are equal. While purely technical attacks might do a good job in finding all computers running a vulnerable software across the entire Internet, they might not be the best approach to identifying on which device the most vulnerable information is stored, and how to get access to that device.
Also, the computers of C-level employees might have a higher chance of containing sensitive information than an employee chosen at random. Attacks leveraging the organizational component require knowledge about the internal workings of organizations, and specifically what information is stored where, and how to gain access to these devices.
In 2017, Equifax announced a data breach wherein sensitive personal information of more than 148 million Americans was stolen, including social security numbers. This attack involved a multi-layered reconnaissance that was initially technical, followed by a detailed understanding of where this information was located within Equifax networks.
Hackers initially scanned the Internet for devices running a vulnerable version of Apache Struts, a framework for creating web applications. They were able to compromise the Equifax dispute resolution server. Once they had access to this server, they were able to figure out through encrypted communication channels, where personal identifiable information was located.
The image below from the U.S. Government Accountability Office (GAO) shows how attackers leveraged both technical methods as well as organization approaches once they were in the Equifax network, to steal large amounts of personal information.
Until recently, cyber-attacks largely started with hackers obtaining reconnaissance on technical vulnerabilities in an organization’s networks or from employees that were part of a social engineering scheme where they hand over information to these hackers.
In order to prevent technical reconnaissance by hackers, the Department of Homeland Security has tools to detect and block signs of cyber attacks. The Einstein tool records network traffic sent to federal networks, similar to a camera capturing cars on a highway. In the case of suspicious traffic, it sets off an alarm.
However, recent events highlight a new kind of reconnaissance, due to interdependencies between multiple organizations. Because modern organizations are dependent on several other organizations, vulnerabilities in one organization cascade over to the other organizations.
This is what happened in the SolarWinds cyber-attacks, discovered in December 2020. In this case, hackers took advantage of the SolarWinds Orion software platform, used by a majority of Fortune 500 companies and governmental networks for monitoring IT networks.
Clients of the Orion software are told to make a firewall exception for this software to work properly. In compromising a SolarWinds Orion software update, the hackers managed to compromise not only SolarWinds Orion, but many of it’s downstream customers. In this case, the Einstein detection system completely failed, as it was not meant to monitor vendor networks.
More recently, the Kaseya ransomware attacks in 2021 also point to the rise of a new “supply chain cyber-attack” era. In the case of Kaseya, customers were further removed from the original Kaseya breach. Kaseya was used by IT service providers, who in turn supported their customer’s IT networks. Ultimately, many of the (1000 estimated) customers breached might not have known that their network security was so tied to the security of Kaseya.
The first step to a cyber-attack is reconnaissance — hackers seek to discover vulnerabilities in their targets, to achieve malicious end goals. There are 3 broad classes of reconnaissance — technical, social, and organizational reconnaissance. Many attacks feature a combination of different types of reconnaissance.
For example, the Clinton campaign emails hack was social engineering based as employees were asked to provide their email account information, but also organizational as they targeted key members of the Clinton campaign.
I’ve also shown that recent events illustrate a fourth class of sophisticated reconnaissance, wherein hackers take advantage of complex interconnections between organizations, that propagate vulnerabilities downstream as in the case of the recent SolarWinds and Kaseya breaches. In the coming articles, I will discuss what hackers do after reconnaissance, once they identify targets and vulnerabilities.
If you enjoyed this week’s post, please share on social media or even just one person you think might enjoy holistic perspectives on the interconnections between technology and modern societies. Feel free to also post any comments in the post discussions on the cyber-physical substack page. This is a small, but growing effort and I hope that I can share in my journey in understanding and building resilient societies.
Senior Data Scientist in NLP. Creator of https://www.answerchatai.com/