How Adversaries Conduct Reconnaissance For Computer Network Operations
Today’s focus is on reconnaissance during computer network operations. Advanced adversaries are only as good as their reconnaissance, and the purpose of this activity is to make follow-on activities like gaining network access as easy as possible.
Zero-days may get the headlines, but misconfigured applications and unpatched systems are a much easier and repeatable way to gain network access.
Advanced adversaries are simply better at finding and planning to exploit basic vulnerabilities like these.
So what does the Adversarial Mindset actually represent?
Imagine if an adversary wanted to digitally break into a government or critical infrastructure facility. This type of attack requires far more than running nmap scans around the clock waiting for an open source exploit to show up in the results, or simply purchasing a zero-day exploit.
From the adversarial perspective, consider the challenges:
- First, and most importantly, we would need access to technical and analytical talent. Talent in forensics, software development, scripting, data science, data engineering, application reversing, application development, assembly, analysis, open source research, priority intelligence collection management, and native language capability in the target environment are all necessary to conduct advanced attacks.
- Second, to conduct spearphishing, we’d have to target employees who have critical access and pull together targeting packages containing meaningful convincing content to entice opens and clicks. We would need to be able to scour the internet to find interests, vulnerabilities in the employees’ personal lives, work associates, friends, physical addresses, family profiles, travel and commuting information, and potentially even vulnerabilities in their family and friends to exploit.
- Third, we’d need to be able to access as much personal identifiable information (PII) on the individuals as possible. This means we need to have access to troves of data with an ability to locate individuals, selectors, and signatures of interest.
- Fourth, we would also need to be able to see other businesses or entities that have relationships with the target whose connections would look innocuous. We’d actively look for weaker targets that may have access to the larger target. Going against a larger institution would require a larger research and development effort due to their more mature security stack.
- Fifth, we would need infrastructure to conduct these types of reconnaissance methods. Of course we would need typical anonymous or mis-attributable domains for command and control infrastructure. But more importantly, we need a one-stop shop for secure access to anonymized internet to minimize the likelihood of operational security mistakes. This would allow us to maintain infrastructure to backstop activity with personas, websites, and mis-attributable selectors. Facilitating payment anonymously and at scale would be an important part of this infrastructure as well.
- Sixth, we need tools. Zero-day exploits always help but are often not needed, especially if you have a well-rounded technical reconnaissance team. Tools that aggregate data into one platform, provide external telemetry, allow the transfer of data from one environment to another, allow the purchase of mis-attributable domains quickly so payment can’t be tracked, or provide automation to reverse an application to look for vulnerabilities in the software stack are far more useful in the reconnaissance stage.
- Seventh, we may need to have the ability to recruit personnel to physically enter a location to install a device or gain knowledge from an insider’s perspective.
After the adversary has conducted the necessary reconnaissance, steps can be taken to weaponize the intelligence discovered to conduct an attack.