Today I’m going to be speaking from the point of view of an attacker. But not just any attacker. I’m looking through the eyes of what our industry has deemed an Advanced Persistent Threat (APT). This is the beginning of a series of posts that will discuss what I will do as I move through the Kill Chain.
For those that aren’t familiar with the Kill Chain, please refer to this post from Tom Cross in which he goes over the Kill Chain and how it relates to Advanced Persistent Threats in great detail. (Incidentally, the first post in his APT blog series discusses the various uses for the term ‘APT.’ For the purpose of my posts, I am referring to an APT as a type of attack, versus a class of adversary.)
Now that we’ve established that for my next several blog posts I’m going to play the part of someone you would never want on your network, we are going to take our first stop along the Kill Chain – reconnaissance.
I have a chosen target. My motivations are purely financial. I have a buyer ready, and he has a lot of money to spend on a new list of active credit card numbers. So, a retail corporation seems like a natural target; multiple locations that are hard to track combined with a ton of credit card numbers.
I could start with a port scan, but I don’t think I’m ready for that yet. Let’s start soft. Let’s start with some research. First, I’ll go to the corporate website and look for a job opening in IT. Conveniently, many of the operating systems, hardware and software that my target uses will probably be listed under the skills needed by whichever candidates apply for the open job. These specifics will help me target my attack to focus on what the company actually has in its infrastructure. Thanks for narrowing down my scope, retail giants!
After I’ve poked around on the website and gathered some systems information and some general contact information, I’ll take a look at LinkedIn. Now, LinkedIn is more than just a fantastic networking tool. It’s also great for giving me names and profiles of specific employees. I’m going to start with the people in the IT Department, but it’s not for the reason you think. I don’t care about their names (yet). I also don’t care about their contact information. What I do care about is what their job duties and responsibilities are. This is going to help me dig up more network and systems information than the job postings might have revealed.
For example, do the IT employees have high ratings in certain specific areas like Microsoft SQL or Apache? This helps me to expand or narrow my scope from the information I found earlier. After I’ve gathered as much of this information as I can, it’s time to gather contact information for employees in other departments.
I’ll probably look for people in less technically savvy roles – those that might be more focused on getting the job done quickly, rather than securely. Normally, I might look for those that work in sales. However, the people that work in sales for retail have tightly restricted access to the POS system. Yes, I eventually want to get on the POS machine, but it’s generally not going to be my entrance point to the network. In this case, I’m going to look for buyers. In retail, buyers are talking to vendors all the time. They also talk to new vendors, and this is something I can exploit.
After I’ve combed through LinkedIn for those in a buying or planning capacity, and built out my list of IT systems, I may consider doing a port scan of the corporation’s external IP addresses (obtained from various free DNS lookup tools).
All of my research is going to go into preparing the next phase of the Kill Chain, weaponization, which will be covered in my next post.
So, what can you do about an APT during this phase of the Kill Chain? Unfortunately, not much. A lot of this is just passive reconnaissance. You can request that job posts, specifically those having to do with technology, only refer to the technologies in limited terms. Trying to control what your employees post on LinkedIn is not only impossible, it also sets you up for a constant battle in trying to get your users to comply with security policy. More importantly, you can’t dictate what your users do in their free time.
Don’t fret! This part of the Kill Chain is almost completely harmless anyway. You’ll want to focus your efforts on the next several steps, as those are the ones that can be dangerous.