The nature of today's corporate computer use has changed the perimeter to be the user's desktops and mobile devices. End users' constant interactions with cloud-based services and social networking sites are making traditional defense moot. To adapt, security professionals must meet new security challenges head-on by considering their defensive measures as an attacker might.
How? By putting on their offensive hat.
When we take a look at the typical attack process, it includes reconnaissance, scanning, exploitation, maintaining access, and cleaning up. For attackers to be successful, they have two choices. They can go for the target of opportunity that's easy and doesn't require much preparation to attack (sometimes something they simply stumble on). Or they can go for a targeted attack that requires research and, often, patience.
Reconnaissance, while commonly overlooked and discounted, is a key phase providing successful targeted attackers (and penetration testers) with information about the target, the target's server and application technologies in use, employees, location, and much more. Often called OSINT, or open-source intelligence because it uses publicly available sources, the recon phase is anything that can help the attacker obtain his goal. Security pros can leverage the same tools and techniques as the attackers to identify unintentionally exposed devices on the Internet and users leaking sensitive information via social networking sites, and address those issues before they're used during an actual attack.
Where to start? The simplest starting point is Internet search engines like Google, Bing, and Yahoo. Searches for company name, key file names, employee numbers, and other unique information can turn up leaked files, dumped data on Pastebin, or plans to attack the company in the coming weeks. Over the years, I've seen searches turn up everything from accidental disclosures of personal patient and employee information on company sites, to evidence of compromises by user credentials and server names in an online bulletin board.
It's important to note that using search engines is not a one-shot deal because the content changes over time. Maybe the search engine's crawler hasn't found and indexed the website hosting the content, or it could be the content hasn't been published yet. Either way, this isn't a quick few hours of work and you're done forever, which is why researchers from Stach & Liu have developed a suite of tools called "Search Diggity" to help security professionals with better, more targeted searches that can be automated.
Social networking sites have contributed quite a bit to the change in the perimeter and the ability for employees to post revealing information and interact with practically anyone, including attackers, around the world. Some of the interesting things include co-workers' names, office locations, pictures inside of company buildings (like data centers), and personal information (i.e., birthday, spouse, kid names). Attackers can then use that information to social-engineer users into giving up passwords over the phone or get past the questions required to reset an account password.
Tim Tomes, senior security consultant at Black Hills Information Security, spoke about the recon process during his talk, "Next Generation Reconnaissance," at Hack3rCon 2012. During the discussion, he released Push Pin, a recon tool that specifically targets information posted on social networking sites Twitter, YouTube, Flickr, Picasa, Instagram, and Oodle.
The more fascinating aspect about PushPin is that it searches those sites not for a specific search term, but by location. Want to look up information potentially posted by employees at a particular office location? Plug in the GPS coordinates of the office, and out comes posts to Twitter, pictures on Flickr and Instagram, and videos on YouTube. Tim has made the Python-based tool freely available here.
Other sources of data include DNS and network information published on sites like Robtex where IP addresses, network ranges, and domain names can be searched. There's also the excellent Shodan computer search engine that contains service banners from Internet-accessible servers all over the world. Security pros can find all sorts of juicy information, like internal network and host names exposed through DNS, or unintentionally exposed services that Shodan has found without scanning or touching the target network.
Besides the Web interfaces to those sites, several tools exist to make queries faster and scriptable. Dnsrecon is an excellent example for DNS research, and the PushPin tool also queries Shodan based on location information. Additionally, there is the shodan_search module in Metasploit (written by yours truly), and an iOS app developed by Erran Carey.
Just as all of these resources can be used for evil, enterprise security teams should be taking advantage of them to help secure their networks. Information published on social networking sites can often be removed quickly and the responsible person identified and counseled on the proper use of such sites. Exposed services found through Shodan can quickly be taken down or blocked with a quick firewall change.
These resources are out there and being used by attackers and penetration testers. Why not do the same and use them before they're used against you?
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.